Developing a Security Mindset: Are You Prepared for the Inevitable
When Benjamin Franklin wrote in 1789 “…in this world nothing can be said to be certain, except death and taxes…” the first computer was still 157 years from being built. So, he can be forgiven for not including ‘getting hacked’ in his infamous list of the inevitable. Findings from a University of Maryland study indicating that there is a hacker attack every 39 seconds offer a sobering reminder of the significant risks that accompany the substantial rewards technology makes available in a world Franklin probably would not recognize.
For every major news story about security breaches at large companies and government agencies, there are countless unreported smaller scale attacks that can be just as devastating. What is an organization, or any individual for that matter, to do about these threats? TDK Technologies offers some solid advice on developing a security mindset to deal with inevitable attacks on technology.
What is the best overall approach regarding IT security?
In short, don’t trust anything. There is no silver bullet; you need to have a security mindset.
Basic security measures include an active firewall, virus protection, intrusion prevention and detection for servers, keeping software patched with the latest updates (weekly if not daily on newer operating systems and at least monthly on older versions) and making sure open ports are locked down.
Sensitive data should be encrypted, preferably by multiple functions. Encryption can be broken, so you need to monitor and raise encryption levels when needed.
You can’t stop bad actors from attempting to attack; you need a good perimeter and a good early warning system that indicates when someone may have gotten through.
What is Social Engineering (or Social Hacking) and why is it such a serious threat?
Social hacking is where people manipulate others to gain access. There’s no technological way to guard against it – you have to train your people to question what’s going on around them.
A social hack can work if someone has just enough information about another person to make it seem legitimate, but they are looking for even more information to get access to systems.
How many companies would pass a rigorous security test?
If the test is for both coded penetration and social hacks, about five percent would pass the whole ball of wax. And those are generally small offices with closed, locked down networks. The more people you get, the more vulnerable you are.
You will never prevent every way someone will try to attack you. If a company says they’ve never had a data breach, be wary. They don’t know whether they are truly vulnerable or not, they won’t know how to respond when it happens, and they’ve never dealt with the aftermath of a breach. And that’s where you learn the most about how someone got in.
How then should companies assess their vulnerabilities?
Know your data. Data can be stolen or modified. Companies should be willing to spend some time looking at their systems with a different set of eyes. You can hire firms to do penetration testing from a network level as well as social engineering penetration testing. This can reveal what is most damaging: data loss or data modification (someone injecting data into the system that isn’t real). You can learn what someone can do if they get access to the data. That’s where you start to understand where you are vulnerable.
If you can’t afford to have an ethical company come in and penetration test your company, talk to people inside your industry or outside the company. Ask them if someone got hold of your data, what would they do? You need to know if the data is valuable. And if it is, maybe certain pieces of data coupled with other data creates a gold mine. So, put extra barriers between those sets of data.
Part of security is a façade game. It’s making sure that when they try to attack, what they see and what they feel from cyberspace looks and feels very secure. And that it stays looking that way.
What are some effective deterrents to minimize security threats?
Look at security from the very beginning. Security can’t be something you add on at the end, which is what most people do. To be secure, you must think about it start to finish. Look at physical security, electronic security and at educating the staff.
Regardless of how much security you put in place, what do you do when you do get attacked? Contingency planning is key. You have to know what to do when you get hacked, starting with how to detect when it happens.
How much should an effective security program cost?
The worst thing about security is that it costs money. You are either buying someone else’s security or you are investing a lot of man hours in managing it.
It always comes down to the cost, but a hacker is doing the same thing you are. You are figuring out how much it costs to protect your data; they are trying to figure out the cost of trying to get in, versus the value they can take when they do get in.
To Recap
There are no 12 step programs for security. It is a constant, ongoing pursuit that requires the proper mindset and vigilance.